Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4236195imu; Mon, 14 Jan 2019 18:15:52 -0800 (PST) X-Google-Smtp-Source: ALg8bN7M7LACcggNvU9HG64tRcevrwH3pLjAs1+aHVuHs5lc+x+93ljAJdpgU5JV9J3P3+PC85i6 X-Received: by 2002:a17:902:2b8a:: with SMTP id l10mr1564196plb.70.1547518552813; Mon, 14 Jan 2019 18:15:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547518552; cv=none; d=google.com; s=arc-20160816; b=SZBgVuLXzz2Jte6L1GZsBDnEDmt3AsDrWEI0lutNSrHk7+IBQIDPUDyH2ovZiU0ptg seO4uublOJ96JKe9gx6o2stFPLYeU+4Gy6LE0LxgyfOubt7bbQyAeJB+D3PSp459tXdN 8pmwM/cSvoy98UtdaOoJiTRrkXYfoxTOLCfamErD39aBFMCJT4iE3owx40bvmgKRdEMC TwlZUnP0UpukDHkNCNt9q2ZlBNGvddmQEzm5eCxpQIVcbg6NRwxE8kbqb+j/Nals3btI n75xHAj7ZhZrhtLYlz9ATa98K0kx7Uytt3X++JPra7y5QXd7h5bRqrhGbxIAVqLy5GU5 NZOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=K5Mn0H2GmTAtAKZeaYpB0QFNGy2tuSWnsbYLaeOZCD8=; b=knykYgTEQen4dUwwZUexBDXvNKdp2mOsSHlN6LFRURkQGqTR8GG//uP/LwN7AXYhz/ 5e4ikiFzFDslAWXyujUyZ7Yifx5bpnkYFhSt4Zj/hQmBFPRxgxC546TReBxoLret+MYP bVji1tVv91rFmTB3ul/ffLxXNjGh4dW6JO8WPsLUq42jaiM9QBgeDsKsLB63TzAEJ8AA es3Yuc4DBoi9j79xWix8l9B4s3W3jHgd0kQdnLJ33fxDwEIqz5D3tCV2e/N39Y+JCQzO vlddbSPqlLjWBWPD0r6Lt1eRiSVRBK/9gin49n+cDm2gwcQw5UYHiSuI0hiqEaTf1LFm wK6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=hjuxFtY9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v61si2023906plb.54.2019.01.14.18.15.33; Mon, 14 Jan 2019 18:15:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=hjuxFtY9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727211AbfAOBDH (ORCPT + 99 others); Mon, 14 Jan 2019 20:03:07 -0500 Received: from mail-vs1-f68.google.com ([209.85.217.68]:34711 "EHLO mail-vs1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726769AbfAOBDG (ORCPT ); Mon, 14 Jan 2019 20:03:06 -0500 Received: by mail-vs1-f68.google.com with SMTP id y27so680315vsi.1 for ; Mon, 14 Jan 2019 17:03:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K5Mn0H2GmTAtAKZeaYpB0QFNGy2tuSWnsbYLaeOZCD8=; b=hjuxFtY9bS1qDuIQpvvyF0dIfHxf5RQS211DF9clP205V/bDHvYaHraYw/8bMriR8E EBXjuXNbi/5UPpPhp9lo75QA6okX+LVCgVMwBuFfOLTvF3GQtECoDSQwqJkRMwAOzwNl eCentY9YB/+Zep+zSRlYXsI30Ie9MSLpAFW6U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K5Mn0H2GmTAtAKZeaYpB0QFNGy2tuSWnsbYLaeOZCD8=; b=SAZ9j3tbnjhwM+AEToZuPXsVEeUxt4iOrsTYE4z1n1gAZK0EKc9jieoEu4VMDcAmjZ mLaNqsq+Q3P2lCw4ejn70+nvYzIzys82akvaIJ5cFJos+iFJeHMy/ebLrswspTrvAATz h6azRJtB64USwP+Y2BkKKLSj7NFmQGsSdQayplW6nPKApi5xwvDss5blkwJSTzPhDf/5 Sp1Mytix7isyvFnBlQ0gORa62SjfEVCSStpA4UrvKQwHhXvnLzGDLtWxRbXHPwkEdtpm UlHWRa46VjQCSbZcq4ha7CGusnm8IDqzBSj/iFxxU8F6Ugx7pKP7+Fqu3f1UUbLfjvXk NAug== X-Gm-Message-State: AJcUukeZRa5beLSpTNDPcM8/AusbH5QtuYuu+vrarNP1dmfsO6FPtSTY DlY/70jddVgVJdlBtKuxXRZqkZXfVZc= X-Received: by 2002:a67:4c51:: with SMTP id z78mr465630vsa.99.1547514185202; Mon, 14 Jan 2019 17:03:05 -0800 (PST) Received: from mail-vs1-f48.google.com (mail-vs1-f48.google.com. [209.85.217.48]) by smtp.gmail.com with ESMTPSA id w65sm4100649vsc.16.2019.01.14.17.03.03 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Jan 2019 17:03:04 -0800 (PST) Received: by mail-vs1-f48.google.com with SMTP id x64so657329vsa.5 for ; Mon, 14 Jan 2019 17:03:03 -0800 (PST) X-Received: by 2002:a67:e15e:: with SMTP id o30mr601519vsl.66.1547514183309; Mon, 14 Jan 2019 17:03:03 -0800 (PST) MIME-Version: 1.0 References: <20190112152844.26550-1-w@1wt.eu> In-Reply-To: <20190112152844.26550-1-w@1wt.eu> From: Kees Cook Date: Mon, 14 Jan 2019 17:02:51 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow To: Willy Tarreau Cc: Silvio Cesare , LKML , Dan Carpenter , Will Deacon , Greg KH Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau wrote: > > From: Silvio Cesare > > Change snprintf to scnprintf. There are generally two cases where using > snprintf causes problems. (I didn't find a 0/8 cover letter, so I'm replying here...) Many of these fixes are just robustness updates (e.g. the lkdtm case below is not current a problem: the size of the static array getting displayed is less than PAGE_SIZE). It might be worth noting which are actually problems (and include the appropriate Cc: and Fixes: lines). > > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) > In this case, if snprintf would have written more characters than what the > buffer size (SIZE) is, then size will end up larger than SIZE. In later > uses of snprintf, SIZE - size will result in a negative number, leading > to problems. Note that size might already be too large by using > size = snprintf before the code reaches a case of size += snprintf. > > 2) If size is ultimately used as a length parameter for a copy back to user > space, then it will potentially allow for a buffer overflow and information > disclosure when size is greater than SIZE. When the size is used to index > the buffer directly, we can have memory corruption. This also means when > size = snprintf... is used, it may also cause problems since size may become > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel > configuration. > > The solution to these issues is to use scnprintf which returns the number of > characters actually written to the buffer, so the size variable will never > exceed SIZE. > > Signed-off-by: Silvio Cesare > Cc: Dan Carpenter > Cc: Kees Cook > Cc: Will Deacon > Cc: Greg KH > Signed-off-by: Willy Tarreau Are these changes going into someone's single tree, or are they intended for individual maintainers to pick up? Acked-by: Kees Cook -Kees > > --- > drivers/misc/lkdtm/core.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c > index 2837dc77478e..610aa3bfe630 100644 > --- a/drivers/misc/lkdtm/core.c > +++ b/drivers/misc/lkdtm/core.c > @@ -347,9 +347,9 @@ static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, > if (buf == NULL) > return -ENOMEM; > > - n = snprintf(buf, PAGE_SIZE, "Available crash types:\n"); > + n = scnprintf(buf, PAGE_SIZE, "Available crash types:\n"); > for (i = 0; i < ARRAY_SIZE(crashtypes); i++) { > - n += snprintf(buf + n, PAGE_SIZE - n, "%s\n", > + n += scnprintf(buf + n, PAGE_SIZE - n, "%s\n", > crashtypes[i].name); > } > buf[n] = '\0'; > -- > 2.19.2 > -- Kees Cook